WHAT IS CLAIMED IS: 

1. A communication gateway apparatus to be 
coupled between a server and a client, comprising: 

a reception unit configured to receive a content 
transferred from the server to the client; 

an extraction unit configured to extract a script 
program from the received content; 

a storage to store transfer destination informa- 
tion representing a plurality of transfer destinations 
designated as authentic; 

an inspection unit configured to inspect the 
script program to detect that the script program has a 
function of transferring any one of information stored 
in the client and the received content, thereby 
identifying at least one transfer destination of the 
information; 

a determination unit configured to determine 
whether or not transfer of the content is permitted, by 
collating the identified transfer destination of the 
information with the plurality of transfer destinations 
of the destination information; and 

a transmission unit configured to transmit the 
content to the client only when the determination unit 
determines that transfer is permitted. 

2. The apparatus according to claim 1, wherein 
the inspection unit identifies a plurality of transfer 
destinations of the information, and wherein the 
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determination unit determines that transfer is 
permitted only if all the transfer destinations of the 
information are within the plurality of transfer 
destinations of the destination information. 
5 3. The apparatus according to claim 1, wherein 

the inspection unit is further configured to output, 
if the transfer destination of the information is 
unidentifiable, an arbitrary transfer destination, and . 
the determination unit determines that transfer of the 
10 content is not permitted. 

4. The apparatus according to claim 1, wherein 
the information includes cookie information held in a 
Web browser running in the client. 

5. The apparatus according to claim 1, wherein 
15 the destination information includes any one of a list 

of permitted URLs and regular expressions. 

6. A communication gateway apparatus to be 
coupled between a server and a client, comprising: 

a reception unit configured to receive a content 
20 having an input form and transferred from the server to 

the client; 

an extraction unit configured to extract a script 
program from the received content; 

a storage to store transfer destination informa- 
25 tion representing a plurality of transfer destinations 

designated as authentic; 

an inspection unit configured to inspect the 
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script program to detect that the script program has a 
function of changing a transmission destination of the 
input form, thereby identifying at least one changed 
transfer destination of the input form; 
5 a determination unit configured to determine 

whether or not transfer of the content is permitted, by 
collating the changed transfer destination of the input 
form with the plurality of transfer destinations of the 
destination information; and 

10 a transmission unit configured to transmit the 

content to the client only when the determination unit 
determines that transfer is permitted. 

7. The apparatus according to claim 6, wherein 
the inspection unit identifies a plurality of changed 

15 transfer destinations of the input form, and wherein 

the determination unit determines that transfer is 
permitted only if all the changed transfer destinations 
of the input form are within the plurality of transfer 
destinations of the destination information, 

20 8. The apparatus according to claim 6, wherein 

the inspection unit is further configured to output, if 
the changed transfer destination of the input form is 
unidentifiable, an arbitrary transfer destination, and 
the determination unit determines that transfer of the 

25 content is not permitted, 

9. The apparatus according to claim 6, wherein 
the destination information includes any one of a list 
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of permitted URLs and regular expressions. 

■10. A communication gateway apparatus to be 
coupled between a server and a client, comprising: 

a reception unit configured to receive a content 
having a first input form and transferred from the 
server to the client; 

an extraction unit configured to extract a script 
program from the received content; 

a storage to store request destination information 
representing a plurality of request destinations 
designated as authentic; 

an inspection unit configured to inspect the 
script program to detect that the script program has a 
function of requesting an external content having a 
second input form to be used in place of the first 
input form, thereby identifying at least one request 
destination of the external content; 

a determination unit configured to determine 
whether or not transfer of the content is permitted, by 
collating the identified request destination of the 
external content with the plurality of the request 
destinations of the destination information; and 

a transmission unit configured to transmit the 
content to the client only when the determination unit 
determines that transfer is permitted. 

11. The apparatus according to claim 10, wherein 
the inspection unit identifies a plurality of request 
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destinations of the external content, and wherein 
the determination unit determines that transfer is 
permitted only if all the request destinations of the 
external content are within the plurality of request 
5 destinations of the destination information. 

12. The apparatus according to claim 10, wherein 
the inspection unit is further configured to output, if 
the request destination of the external content is 
unidentifiable, an arbitrary request destination, and 

10 the determination unit determines that transfer of the 

content is not permitted. 

13. The apparatus according to claim 10, wherein 
the destination information includes any one of a list 
of permitted URLs and regular expressions. 

15 14. A communication gateway apparatus to be 

coupled between a server and a client, comprising: 

a reception unit configured to receive a content 
having a form and transferred from the server to the 
client; 

20 an extraction unit configured to extract a script 

program from the received content; 

a storage to store request destination information 

representing a plurality of request destinations 

designated as authentic; 
25 an inspection unit configured to inspect the 

script program to detect that the script program has a 

function of requesting an external content having an 
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input form to be inserted within the form, thereby 
identifying at least one request destination of the 
external content; 

a determination unit configured to determine 
5 whether or not transfer of the content is permitted, by 

collating the identified request destination of the 
external content with the plurality of the request 
destinations of the destination information; and 

a transmission unit configured to transmit the 
10 content to the client only when the determination unit 

determines that transfer is permitted. 

15. The apparatus according to claim 14, wherein 
the inspection unit identifies a plurality of request 
destinations of the external content, and wherein 

15 the determination unit determines that transfer is 

permitted only if all the request destinations of the 
external content are within the plurality of request 
destinations of the destination information. 

16. The apparatus according to claim 14, wherein 
20 the inspection unit is further configured to output, if 

the request destination of the external content is 
unidentifiable, an arbitrary request destination, and 
the determination unit determines that transfer of the 
content is not permitted. 
25 17. The apparatus according to claim 14, wherein 

the destination information includes any one of a list 
of permitted URLs and regular expressions. 
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18. A communication gateway apparatus to be 
coupled between a server and a client, comprising: 

a reception unit configured to receive a content 
transferred from the server to the client; 

an extraction unit configured to extract a script 
program from the received content; 

a storage to store transfer destination informa- 
tion representing a plurality of transfer destinations 
designated as authentic; 

an inspection unit configured to inspect the 
script program to detect that the script program has 
a function of adding an input form to the received 
content, and a function of transferring the input form, 
thereby identifying at least one transfer destination 
of the input form; 

a determination unit configured to determine 
whether or not transfer of the content is permitted, by 
collating the identified transfer destination of the 
information with the plurality of transfer destinations 
of the destination information; and 

a transmission unit configured to transmit the 
content to the client only when the determination unit 
determines that transfer is permitted. 

19. The apparatus according to claim 18, wherein 
the inspection unit identifies a plurality of transfer 
destinations of the input form, and wherein the 
determination unit determines that transfer is 
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permitted only if all the transfer destinations of the 
information are within the plurality of transfer 
destinations of the destination information. 

20. The apparatus according to claim 18, wherein 
the inspection unit is further configured to output, 
if the transfer destination of the information is 
unidentifiable, an arbitrary transfer destination, and 
the determination unit determines that transfer of the 
content is not permitted. 

21. The apparatus according to claim 18, wherein 
the destination information includes any one of a list 
of permitted URLs and regular expressions. 

22. The apparatus according to claim 1, further 
comprising: 

a document generation unit configured to generate 
a document by partially executing the extracted script 
program,- and wherein the extraction unit further 
extracts another script program to be inspected from 
the document. 

23. The apparatus according to claim 1, wherein 
when the determination unit determines that transfer is 
not permitted, the transmission unit transmits an error 
content to the client instead of the received content. 

24. The apparatus according to claim 1, wherein 
when the determination unit determines that transfer 
is not permitted, the transmission unit transmits a 
message notifying that transfer is not permitted, to an 
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account of an administrator. 

25. The apparatus according to claim 24, wherein 
the transmission unit adds at least the received 
content to the message and transmits the message. 

26. A method of affording security of communi- 
cation between a vulnerable server and a client, 
comprising: 

receiving a content transferred from the 

vulnerable server; 

extracting a script program from the received 

contents- 
inspecting the script program to identify a 

transfer destination of information, where transferring 

the information is caused by the client executing the 

script programs- 
collating the identified transfer destination of 

the information with a permitted transfer destination 

list; and 

transmitting the received content to the client 
only if the identified transfer destination of the 
information is within the permitted transfer destina- 
tion list, so as to prevent the information from 
illicitly transferring to a malicious server. 

27. A computer program product for affording 
security of communication between a vulnerable server 
and a client, comprising: 

means for instructing a computer to receive a 
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content transferred from the vulnerable server; 

means for instructing the computer to extract a 
script program from the received content; 

means for instructing the computer to inspect the 
script program to identify a transfer destination of 
information, where transferring the information is 
caused by the client executing the script program; 

means for instructing the computer to collate the 
identified transfer destination of the information with 
a permitted transfer destination list; and 

means for instructing the computer to transmit the 
received content to the client only if the identified 
transfer destination of the information is within the 
permitted transfer destination list, so as to prevent 
the information from illicitly transferring to a 
malicious server. 



